Using Ants to Secure your Network

by Bruce O'neel

Abstract

Those of us who managed diverse networks of systems, especially those that sadly include Windows(tm) systems, are constantly fighting different network intrusions. The catch is that we currently can easily fight only the ones we know about. What about the ones we don't know about?

One way to look for unknown and undiscovered network attacks is to filter the output of tcpdump, removing known packets, and leaving one with packets that might be of interest. Sadly on most networks you are left with masses of data to scan and grep/perl/awk/human eye just doesn't work.

This paper will present the results of a program which scans the pcap file format written by tcpdump and separates out unusual packets which can then be examined more closely by a human. It uses techniques from Ant Colony Optimization so that it is not necessary to predetermine which packets might be unusual but rather those packets separated out as the result of the program running. In addition this technique works even for anonymized packets.

Author bio

Bruce O'Neel has worked many years in different bits of the computer world. His non-paid work these days concentrates on OpenBSD.

go back to the schedule